Hi Shell,
: I was poking around my own server because I had an installation of
: torrential and found this vuln. The problem lies in getdox.php. It works
: by taking an argument after a "/". This specifies a file. The DOX folder
: that it grabs the files from is located int /dox such that / is the
: directory that the main index is in. Now, you can give it the parameter
: of /(any file) and it will fetch that file.
:: EXAMPLES:
:http://www.example.com/torrential/dox/getdox.php/../forums.php (goes
: to the forums page)
:http://www.example.com/torrential/dox/getdox.php/../../index.html: (goes to http://www.example.com/index.html in this case)
It isn't clear if this can be used to gain access to sensitive or
restricted files. The examples above both make it look like you would
normally have access to the forums.php or index.html files anyway. Will
this traverse out of the web root?
Brian
OSVDB.org